README.md

PyLocky Decryptor

This decryptor is intended to decrypt the files for those victims affected by the ransomware PyLocky.

This decryptor is built to be executed on Windows systems only and it does require a PCAP of the outbound connection attempt to the C&C servers. This connection is seen seconds after the infection occurs and it will contain, among other info, the Initialization Vector (IV) and a password (both generated randomly at runtime) used to encrypt the files. Without this PCAP containing these values, the decryption won't be possible.

Wait for the decryptor to complete the decryption process and verify the usability of your files and system

Output

If the program is enabled with debug output you will be able to see with detail how the PCAP file is being read, extracted both the IV and password and then what file is the decryptor reading, decrypting and restoring:

If there are no files with the .lockedfile extension OR all the files have been decrypted correctly and removed in a previous run, you'll simply get the following message:

No files with the ".lockedfile" extension were found. Please check again

Compiling the source code

If you need to modify the source code of the decryptor, you can do it using Python 2.7 and then use PyInstaller on Windows OS which can be installed using the auto-py-to-exe module. This module is a GUI that converts the Python script into a fully working exe file in a very easy way.

You can also use the command prompt, once you have auto-py-to-exe installed, with the following syntax:

C:\Users\User\Desktop>pyinstaller -y -F pylocky_decryptor.py

Note: if by any chance you get an import error stating: "No module named Queue" then just simply add --hidden-import=Queue to the pyinstaller arguments and the exe file should be generated correctly. You can find the exe file in a dist folder in the location you are currently working and with the same of the python script but with the exe extension.

Warning

During the development and testing of this decryptor it has been tested the succesfull recovery of 3 infected systems (with their corresponding PCAP file) and the only small issue found has been with very large files (more than 4 Gb) not able to be decrypted.

This tool is intended to be used in a live infected system, since it will loop over all the hard drives installed in the system and search for all the files containing the PyLocky encryption extension.

The debugging switch -d or --debug might provide a very verbose output but can be useful to understand what the decryptor is doing and any potential issues found. Is recommended to use it the first time the decryptor is executed.

Last but not least, using the switch -r or --remove will remove the copy of the encrypted files. Doing so will help to clean a bit the infection leftovers in the system however, if something goes wrong during the process and a file wasn't decrypted properly AND this option is enabled, the encrypted file will be deleted and then there will be no way to recover the content. Please be careful and use this option after an initial first recovery of the files, then in a second time running the decryptor there will be less the likelihood of losing the content. Cisco won't be responsible for a misuse of this tool.